Adding OWA 2010

Note: Before attempting this configuration ensure that all settings and config files are modified are backed up independently.

Note: This configuration is only compatible with OWA Exchange 2010

Configuration Steps

Select Directory Manager.

Select Groups.

Name the Group OWAUsers.Note: If you have other existing Groups for SSO users you can use one of these as well. Select ADD GROUP.Select SSO Manager.Select the green plus sign in the bottom right corner.Select the Catalog Icon.

Select Outlook Web Access.

Select Application is Enabled.

Select your desired Authentication Policy.

Select Protocol Setup and Update the Reply To URL value to match the FQDN of your Exchange host.Update the Audience URI value to match the FQDN of your Exchange host.

Select Attribute Transformation.

Verify the User.EmailAddress property is the correct value to send to represent the UPN in Active Directory. Note: If this value does not work you might consider creating a custom transform such as "{User.PrincipalName}@domain.com" which will generate a value of "name@domain.com".Note: Exchange explicitly requires the PrimarySid claim and will not sign a user in without the value matching the SID of the user. This attribute was added to the sync set recently and may require a minor configuration update to include it in the DirSync process. You can find the steps to update the synchronization below.You will need to provide this value manually as a custom attribute for a user if you have not configured Directory Synchronization.

Windows Identity Foundation (WIF) is a Microsoft framework for building identity-aware applications. It is a core component in configuring OWA for Single Sign On and will need to be in place before proceeding.

Note: The line <authentication mode=”Windows” /> may already exist in your configuration. If so, only add our authorization tag above and ignore the authentication tag.

Get the certificate “Thumbprint” from the AuthAnvil SSO signing certificate in the Outlook Web application. Download the certificate from the Outlook Web application in AuthAnvil Single Sign On. Open the certificate, click on the Details tab, scroll to the bottom and look for the Thumbprint item. Copy out this value, removing all spaces and changing all letters to UPPERCASE. A simple way to do this is to open a Powershell window and execute the following command:

"<paste thumbprint here>".ToUpper().Replace(" ", "")

If the result has a ? in front of it, remove it. You will need this uppercase Thumbprint value for the next step.

Add the following lines right after </runtime> (near the end of the file). Note that the values in red must be entered to match your OWA and AuthAnvil SSO server configuration:

Note: “uri:authanvil:sso:site1″ represents the Token Issuer Name in the AuthAnvil Manager -> Single Sign On -> Server Settings

Save the file.

Step 6 – Update ECP

The Exchange Control Panel (ECP) is the section of Outlook Web that manages user details such as changing a password, setting an Inbox rule, or configuring automatic replies. This panel requires an additional configuration change which is almost identical to the /owa/web.config in Step 5, but this configuration file has a different use so do not copy the owa/web.config into the ecp/web.config folder.

Run notepad elevated (Run as Administrator) and open C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\ecp\Web.config

At the top of the file, after <configuration> add the following lines:

Get the certificate “Thumbprint” from the AuthAnvil SSO signing certificate in the Outlook Web application. Download the certificate from the Outlook Web application in AuthAnvil Single Sign On. Open the certificate, click on the Details tab, scroll to the bottom and look for the Thumbprint item. Copy out this value, removing all spaces and changing all letters to UPPERCASE. A simple way to do this is to open a Powershell window and execute the following command:

"<paste thumbprint here>".ToUpper().Replace(" ", "")

If the result has a ? in front of it, remove it. You will need this uppercase Thumbprint value for the next step.

Add the following lines right after </runtime> (near the end of the file). Note that the values in red must be entered to match your OWA and AuthAnvil SSO server configuration:

Note: “uri:authanvil:sso:site1″ represents the Token Issuer Name in the AuthAnvil Manager -> Single Sign On -> Server Settings

Save the file.

Updating the AuthAnvil Database to allow for access to /ecp/

Open SQL Management Studio and connect into the AuthAnvil SQL instance

Expand Databases > Anvil > Tables

Right-click on SSO_ServiceProviderProperty and select “Edit Top 200 Rows” or “Open Table”

There should be two “Outlook Web App” entries. Look for the one that has data in the “ProtocolConfiguration” column.

In the “ProtocolConfiguration” column there should be some text similar to this:

{"Properties":[{"Key":"WSFedProtocolVersion","Value":"WS 1.3"},{"Key":"SignatureAlgorithm","Value":"http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha256"},{"Key":"DigestAlgorithm","Value":"http:\/\/www.w3.org\/2001\/04\/xmlenc#sha256"}]}Note: It will look a little bit different all on one line.

First, copy it out into Notepad so you have a backup of the text. Next, we will add one more {Key,Value} pair into these Properties. Copy this with the comma:

{"Key":"ReplyToOption","Value":"SameDomain"},

Add that code immediately after:

{“Properties”:[

and immediately before:

{"Key":"WSFedProtocolVersion","Value":"WS 1.3"},

The end result looks something like this when it's all crammed on one line:

Hit “Enter” to save the configuration, then let’s test it. You might want to run an IISreset on AuthAnvil and restart your browser, but it should just work once you refresh the page.

Step 7 – Update Exchange

Open the Exchange Management Console.

Under Server Configuration -> Client Access, open the owa configuration under the “Outlook Web App” tab.

In the Authentication tab and make sure “Use forms-based authentication” is not checked. Select “Use one or more standard authentication methods:” and leave the checkboxes blank.

Open up Internet Information Services (IIS) Manager.

Expand the site where OWA is installed and click on the “owa” application.

Double-click the Authentication icon and verify that Anonymous Authentication is set to Enabled.

Verifying Functionality

Once the configuration is complete, you should test that everything is working as expected. Log into the SSO portal with a user that is authorized to access OWA and attempt to click on the “Outlook Web” application. You should automatically be redirected to your OWA inbox.

You can test the ECP menu by going into OWA and clicking Options > See All Options. If the Options portal loads with no errors or other authentication, both the OWA and ECP configurations are successful.